| http://bugs.gentoo.org/165444 |
| https://bugzilla.mindrot.org/show_bug.cgi?id=1008 |
| |
| Index: readconf.c |
| =================================================================== |
| RCS file: /cvs/openssh/readconf.c,v |
| retrieving revision 1.135 |
| diff -u -r1.135 readconf.c |
| --- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 |
| +++ readconf.c 19 Aug 2006 11:59:52 -0000 |
| @@ -126,6 +126,7 @@ |
| oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
| oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
| oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
| + oGssTrustDns, |
| oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
| oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, |
| oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
| @@ -163,9 +164,11 @@ |
| #if defined(GSSAPI) |
| { "gssapiauthentication", oGssAuthentication }, |
| { "gssapidelegatecredentials", oGssDelegateCreds }, |
| + { "gssapitrustdns", oGssTrustDns }, |
| #else |
| { "gssapiauthentication", oUnsupported }, |
| { "gssapidelegatecredentials", oUnsupported }, |
| + { "gssapitrustdns", oUnsupported }, |
| #endif |
| { "fallbacktorsh", oDeprecated }, |
| { "usersh", oDeprecated }, |
| @@ -444,6 +447,10 @@ |
| intptr = &options->gss_deleg_creds; |
| goto parse_flag; |
| |
| + case oGssTrustDns: |
| + intptr = &options->gss_trust_dns; |
| + goto parse_flag; |
| + |
| case oBatchMode: |
| intptr = &options->batch_mode; |
| goto parse_flag; |
| @@ -1010,6 +1017,7 @@ |
| options->challenge_response_authentication = -1; |
| options->gss_authentication = -1; |
| options->gss_deleg_creds = -1; |
| + options->gss_trust_dns = -1; |
| options->password_authentication = -1; |
| options->kbd_interactive_authentication = -1; |
| options->kbd_interactive_devices = NULL; |
| @@ -1100,6 +1108,8 @@ |
| options->gss_authentication = 0; |
| if (options->gss_deleg_creds == -1) |
| options->gss_deleg_creds = 0; |
| + if (options->gss_trust_dns == -1) |
| + options->gss_trust_dns = 0; |
| if (options->password_authentication == -1) |
| options->password_authentication = 1; |
| if (options->kbd_interactive_authentication == -1) |
| Index: readconf.h |
| =================================================================== |
| RCS file: /cvs/openssh/readconf.h,v |
| retrieving revision 1.63 |
| diff -u -r1.63 readconf.h |
| --- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 |
| +++ readconf.h 19 Aug 2006 11:59:52 -0000 |
| @@ -45,6 +45,7 @@ |
| /* Try S/Key or TIS, authentication. */ |
| int gss_authentication; /* Try GSS authentication */ |
| int gss_deleg_creds; /* Delegate GSS credentials */ |
| + int gss_trust_dns; /* Trust DNS for GSS canonicalization */ |
| int password_authentication; /* Try password |
| * authentication. */ |
| int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
| Index: ssh_config.5 |
| =================================================================== |
| RCS file: /cvs/openssh/ssh_config.5,v |
| retrieving revision 1.97 |
| diff -u -r1.97 ssh_config.5 |
| --- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 |
| +++ ssh_config.5 19 Aug 2006 11:59:53 -0000 |
| @@ -483,7 +483,16 @@ |
| Forward (delegate) credentials to the server. |
| The default is |
| .Dq no . |
| -Note that this option applies to protocol version 2 only. |
| +Note that this option applies to protocol version 2 connections using GSSAPI. |
| +.It Cm GSSAPITrustDns |
| +Set to |
| +.Dq yes to indicate that the DNS is trusted to securely canonicalize |
| +the name of the host being connected to. If |
| +.Dq no, the hostname entered on the |
| +command line will be passed untouched to the GSSAPI library. |
| +The default is |
| +.Dq no . |
| +This option only applies to protocol version 2 connections using GSSAPI. |
| .It Cm HashKnownHosts |
| Indicates that |
| .Xr ssh 1 |
| Index: sshconnect2.c |
| =================================================================== |
| RCS file: /cvs/openssh/sshconnect2.c,v |
| retrieving revision 1.151 |
| diff -u -r1.151 sshconnect2.c |
| --- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 |
| +++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 |
| @@ -499,6 +499,12 @@ |
| static u_int mech = 0; |
| OM_uint32 min; |
| int ok = 0; |
| + const char *gss_host; |
| + |
| + if (options.gss_trust_dns) |
| + gss_host = get_canonical_hostname(1); |
| + else |
| + gss_host = authctxt->host; |
| |
| /* Try one GSSAPI method at a time, rather than sending them all at |
| * once. */ |
| @@ -511,7 +517,7 @@ |
| /* My DER encoding requires length<128 */ |
| if (gss_supported->elements[mech].length < 128 && |
| ssh_gssapi_check_mechanism(&gssctxt, |
| - &gss_supported->elements[mech], authctxt->host)) { |
| + &gss_supported->elements[mech], gss_host)) { |
| ok = 1; /* Mechanism works */ |
| } else { |
| mech++; |